CN105594154B - Method and system for controlling the access to wireless device - Google Patents

Method and system for controlling the access to wireless device Download PDF

Info

Publication number
CN105594154B
CN105594154B CN201480037018.7A CN201480037018A CN105594154B CN 105594154 B CN105594154 B CN 105594154B CN 201480037018 A CN201480037018 A CN 201480037018A CN 105594154 B CN105594154 B CN 105594154B
Authority
CN
China
Prior art keywords
key
link
access
monitoring party
privacy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201480037018.7A
Other languages
Chinese (zh)
Other versions
CN105594154A (en
Inventor
陈宝明
M·J·巴普蒂斯特
黄健汉
吕瀚政
李享
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Certis Cisco Security Pte Ltd
Original Assignee
Certis Cisco Security Pte Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Certis Cisco Security Pte Ltd filed Critical Certis Cisco Security Pte Ltd
Publication of CN105594154A publication Critical patent/CN105594154A/en
Application granted granted Critical
Publication of CN105594154B publication Critical patent/CN105594154B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • FMECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
    • F41WEAPONS
    • F41AFUNCTIONAL FEATURES OR DETAILS COMMON TO BOTH SMALLARMS AND ORDNANCE, e.g. CANNONS; MOUNTINGS FOR SMALLARMS OR ORDNANCE
    • F41A17/00Safety arrangements, e.g. safeties
    • F41A17/06Electric or electromechanical safeties
    • FMECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
    • F41WEAPONS
    • F41AFUNCTIONAL FEATURES OR DETAILS COMMON TO BOTH SMALLARMS AND ORDNANCE, e.g. CANNONS; MOUNTINGS FOR SMALLARMS OR ORDNANCE
    • F41A17/00Safety arrangements, e.g. safeties
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/42User authentication using separate channels for security data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/047Key management, e.g. using generic bootstrapping architecture [GBA] without using a trusted network node as an anchor
    • H04W12/0471Key exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/082Access security using revocation of authorisation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/082Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0492Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload by using a location-limited connection, e.g. near-field communication or limited proximity of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

One kind is for safely controlling the system for accessing and further include maintenance device between two wireless (that is, bluetooth enabling) devices.First device and second are matched by establishing safe wireless (that is, bluetooth) link.The first device includes stored part of links key and link key generator:The first device receives the first privacy key from device users, and can also receive the second privacy key from the monitoring party device.The link key generator generates the first link key based on the first part's link key, first privacy key and second privacy key that are stored, or generates the second link key based on the first part's link key and first privacy key that are stored.Access control module in the second device based on for establish access level that the link key of secure connection determines that the first device is awarded fully/limited accass.

Description

Method and system for controlling the access to wireless device
It is incorporated by reference into
The application quotes following file:
Singapore patent 2008057382
The full content of this document is incorporated in herein by reference.
Technical field
The present invention relates to wireless devices, and are related to for controlling the access to wireless device according to a kind of particular form Method.
Background technology
The specification (hereinafter referred to Bluetooth specification) of Bluetooth system limits short distance radio communication system.The system without Frequency hop spread spectrum is used in the industry of license, science and medicine (ISM) 2.4GHz short-distance wireless electric frequency bands.The main quilt of bluetooth Designed for low-power short haul connection, usually using embedded inexpensive transceiver microchip in a device.It can be based on limit Device is assigned classification by the maximum allowable power of fixed effective transmission range.1 device of classification has the range of about 1m, classification 2 There is device the range of about 10m, 3 device of classification to have the range of about 100m.Since bluetooth is the system based on radio frequency, dress Communication between setting needs not be sight.The version 1.2 of specification provides the data rate of 1MBit/s, and version 2 .0+EDR is provided The data rate of 3MBit/s.The version 2 .1 of specification is used on July 26th, 2007 and includes simple and safe pairing, with Safety is increased to period.Version 3 .0+HS is used on April 21st, 2009 and includes by using bluetooth negotiation IEEE The up to high-speed data transfer of 24Mbit/s of 802.11 links.Edition 4 .0 includes pair in 3 Japan use June in 2010 The support of bluetooth low energy (BLE is known as Wibree before).Realize that the device of Bluetooth specification will be referred to as bluetooth and start dress It sets.
Blue-tooth device is assigned unique bluetooth device address (BD_ADDR), which registered from IEEE 48 bit address that mechanism assigns.The address is made of three fields:Including 24 lower address parts (LAP), upper comprising 8 Address part (UAP) and the non-significant address part (NAP) formed by 16.LAP is assigned by company, and UAP and NAP Formation company ID.The 64 continuous LAP values for existing for inquiry operation and retaining.
Start from the access generation based on unit address or the LAP for inquiring address via whole Bluetooth transmissions of physical channel Code.Use device fetcher code (DAC) during paging.Bluetooth device address is only needed to establish connection.Newly connect to establish It connects, using paging, wherein device carries out page scan using the bluetooth device address of target.It can be interacted from user, Or bluetooth device address is obtained via device request, wherein device requires the bluetooth device address of whole device nearby (also There is provided additional information).Each device can choose whether to respond inquiry request.
In order to establish secure connection between two blue-tooth devices, Bluetooth specification defines safety profile 3, the peace Full sexual norm 3 is link rank safe mode.By establishment, exchange and store related to the bluetooth device address of another device The common link key (K) of connection creates combination between the devices, and says that these devices are combined or match.It is being filled at two During establishing secure connection between setting, the common link key is used in verification process, and the common link key also may be used With for generating the encryption key for the data sent by the connection to be encrypted.
Bluetooth specification limits pairing process (LMP is matched, also known as simple pairing), can be directed to generate and store with It is standby rear to be executed with the purpose of the link key of (its be known as in conjunction with), or as establishing safety between two A part for the process of connection.The pairing process is related to creating initialization key K in two devicesinit, use the initialization Key KinitTo create composite link key KAB, then mutually with respect to the composite link generated before allowing to establish secure connection Key is authenticated.
Initialization is executed by 128 random numbers (IN_RAND) to be sent to the first device (A) of second device (B) Generation.Then, each device uses the bluetooth device address (BD_ADDR of first deviceA), by first device generate it is random All known (the being usually 4) PIN code of (IN_RAND) and two devices is counted to create initialization key Kinit.It is generating After initialization key, composite link key (K is generatedAB).Two device selection initialization key KinitCarry out step-by-step exclusive or 128 random number (LK_RANDA、LK_RANDB) it is then sent to another device.Then, each device extraction is another The random number of a device, and it is based on (LK_RANDA、LK_RANDB、BD_ADDRA、BD_ADDRB) close to create common link Key.Finally, mutual authentication step is executed.
In mutual authentication step, first device selects 128 random number (AU_RANDA) as trial, and be sent to To second device.Second device uses the (AU_RAND for being sent back to AA、BD_ADDRB、KAB) create 32 word SRES 'A.A profits SRES is carried out with identical inputAThe calculating of its own, and two numbers are compared.If SRESAAnd SRES 'APhase Symbol then repeats the processing, but the role of A and B is switched (that is, B is initiated, and A makes a response).The mutual authentication process is also For when two contrast means establish the secure connection in any future (in this case, link key have existed and It necessarily regenerates).
The problem of pairing process, is, if third party has eavesdropped entire pairing process, they can pass through whole It can be calculated with the spaces PIN to execute brute-force, and obtain link key.For example, can be 63 using 3GHz Pentium IV processors Four pin are cracked in millisecond.The version 2 .1 of specification limits safe and simple pairing to be carried by using public's key cryptographic systems It is protected for passive wiretapping.Device exchanges public's key, and is exchanged using one in 4 agreements for generating shared key Information.Then according to derived from shared key and the open data exchanged calculate link key.This to obtain link The task of key becomes the problem more difficult than before, but in most cases, it is still susceptible to " go-between " attack.
No matter more unsafe version according to safer version 2 .1 specifications or earlier executes pairing, and problem exists It can be controlled in which device and when generate new link key.It is distributed to user in some cases in device, it can be to It hopes, executive device is matched by controlling or being supervised, and prevents further (again) without authorizing Pairing.The applicant solved the problems, such as to establish safe bluetooth connection in Singapore patent 2008057382, this it is new plus The full content of slope patent is incorporated in herein by reference.
Although this method provides safety knot merging between two and prevents distorting for link, it is not provided To the safe access control of device, or do not ensure that device is distributed to suitable individual even, for example, if user and Fa yet Cloth side colludes with, or if user irrelevantly obtains privacy key to allow it voluntarily to issue a pair of of device.It is other more generally Universal wireless communication structure and agreement may also have the shortcomings that this.Accordingly, there exist the safety provided between two The demand of access control system.
Invention content
According in a first aspect, being provided with a kind of method for the access in safety control, this method includes following Step:
The storage section link key in first device;
By the first device the first privacy key is received from the first source;
It generates for establishing and the link key of the secure connection of second device, wherein if the first device is from the Two sources receive the second privacy key, then the link key, which has, utilizes stored part of links key, first secret close Key and second privacy key and the first link key value generated, or it is secret close if not receiving second from the second source Key, then the link key is with the second chain for utilizing stored part of links key and first privacy key and generating Road key value;
The link generated is stored in the first device;
Safe wireless connection is established between the first device and second device using the link key;
If the link key has the first link key value, from the second device to the first device The access of the first level to the second device is authorized, and if the link key has second link key Value, then authorize the access of second level, and the access of the second level has the access fewer than the access of the first level.
According to second aspect, it is provided with a kind of device comprising:
Memory, the memory include first part's link key;
User's input module, user's input module are used to receive the first privacy key from user;
First communication module, the first communication module is for receiving the second privacy key;And
Link key generator, the link key generator are used for based on the first part's link key, described stored First privacy key and second privacy key generate the first link key, or based on the first part's link stored Key and first privacy key generate the second link key;
Secure wireless communication module, the secure wireless communication module are used to use first link key or described second Link key connect to establish with the safe wireless of the second enabling device.
According to the third aspect, it is provided with a kind of device comprising:
Memory, the memory include the first link key and the second link key;
Wireless communication module, the wireless communication module are used to use first link key or second link key It is connect with the safe wireless of second device to establish;
Access control module, which is used for will be to one or more functions of device or the access of resource It is granted to the second device, wherein connected if establishing the safe wireless with the first link key value, the access control The access of first level is granted to the second device by molding block, and if establishes the safety with the second link key value It is wirelessly connected, then authorizes the access of second level, the access of the second level is with fewer than the access of the first level It accesses.
According to fourth aspect, it is provided with a kind of monitoring party device comprising:
Memory, the memory is for storing privacy key;
Communication module, which is used to establish and the communication link of the first device, and the secret is close Key is supplied to described device for generating link key, and the link key is for generating and the secure connection of second device.
According to the 5th aspect, it is provided with a kind of system comprising:
According to the first device of the second aspect;
According to the second device of the third aspect;And
According to the monitoring party device of the fourth aspect.
According to other aspects, described device may include processor and memory, which includes described for executing The instruction of the method for first aspect, and processor readable medium can also be provided, which includes using In the processor readable instruction of the method for executing the first aspect.
Description of the drawings
With reference to the accompanying drawings to embodiment is discussed, wherein:
Fig. 1 is the block diagram for providing the system to the access control of device according to embodiment;
Fig. 2 is the flow chart according to the method for the access in safely control device of embodiment;And
Fig. 3 is provided to second device not for the first device based on the geographical location of first device according to embodiment The schematic diagram of the geographic area of the access of same level.
In the following description, run through attached drawing, identical reference numeral refers to identical or corresponding component.
Specific implementation mode
Referring to Fig.1, the system 100 for the access in safely control device according to embodiment is shown.Fig. 2 shows The flow chart for the method 200 for the access in safely control device implemented in system 100 shown in Fig. 1 is gone out. Term device will be used by way of it can be interchangeable with device, and can be in single housing or as single group Part can be made of described function or its is arranged multiple components, and the multiple component can such as pass through line at it Cable, electric wire or Radio Link carry out function connects to be distributed.
System 100 includes first device 110, second device 120 and monitoring party device 130.First device is pacified by establishing Full Wireless communication link 102 is matched with second device.Once establish safe wireless connection, first device attempt to access by The function and resource 126 that second device 120 provides.Access control module 124 based on for establish safe wireless connection 102 chain Road key determines the rank for the access authorized to first device.If link key it is unrecognized (that is, not with the link that is stored Key matches), then safe wireless connecting link is not established, and does not authorize access.
In order to further illustrate this method, it is the reality of bluetooth enabling device that first device and second device, which is described below, all Apply mode.It is to be appreciated, however, that this be to help understanding the present invention, and the present invention is not limited to bluetooth enable device/ Equipment, but other communication system/associations suitable for supporting to establish secure communications links based on known or shared link key View.In this embodiment, it includes the bluetooth communication 122 for having antenna 123 that the second bluetooth, which enables device 120, comprising The modification realization method of Bluetooth specification, disabling are used for generating the standard cohesive process of link key.Link key is such as bluetooth 128 digits (that is, 128 random numbers) limited in specification, and be adapted for carrying out for supporting using Bluetooth protocol come two A bluetooth establishes certification and generation that safety matches the encryption key of connection between enabling device.Device 120 is not establishing safety Generated during bluetooth connection link key and risk it is possible be ravesdropping or the risk of other spoofing attacks, be and will be used to build Multiple link keys storage of the vertical safe bluetooth connection 102 that device is enabled with another bluetooth is in memory.Access rights Access control rank or group are stored or associated with each link key.Access control rank can be used to control to the Two bluetooths enable the access of the function or resource of device.Other data can also be associated with link key (for example, for matching Bluetooth address, the term of validity of device etc.).
In this embodiment, the second bluetooth enables device and stores two link keys:With unrestricted access level First link key 118 of (that is, accessing completely) and the second link key 119 with limited access level.Other In embodiment, two link keys can be stored over to provide the range of access level (and therefore functional).Link Key is stored in memory or storage assembly, and the memory or storage assembly can be RAM, ROM, storage card, firmware core Piece or other suitable means for storing information.Device can also include the operation for control device (not shown) Microprocessor or microcontroller.
In order to establish safe bluetooth communications link, the first bluetooth enabling device must be generated to be deposited by the second bluetooth enabling device One in the link key of storage.It includes in the memory for including in a device or storage assembly that first bluetooth, which enables device 110, The part of links key (PLK) 111 of storage.The component may include RAM, ROM, storage card, firmware chip or for storing Other appropriate means of information.Device can also include the microprocessor or microcontroller of the operation for control device (not shown) Device.
It further includes user's input module 112 that first bluetooth, which enables device 110, can be that such as (it can be keypad It is number, alphabetical, symbol etc.), keyboard, bio-identification scanner or near field reader (for example, safe ID is marked) this The input unit of sample.Input unit can be integrated into device, using wired connection (for example, USB or other cables) or It is attached via such as bluetooth, Wi-Fi, mobile communication link or other radio frequencies or IR links.If passing through wired connection Input unit is integrated or is connected, then the safety of system enhanced, and is eavesdropped or the risk of deception with reducing.Such as Many indigo plants of mobile computing device (for example, tablet computer, laptop computer, mobile phone, trunked radio intercom cellphone) It includes user input apparatus, microprocessor and memory that tooth, which enables device, and can using method described herein come pair These built-in features are configured, in case using.User's input module 112 is used to receive the first privacy key 113 from user. The privacy key 113 can be password, digital code, keyed hash etc..First bluetooth, which enables device, can have its unique work( Can, and can also include the communication module and use for being communicated by mobile phone or long-haul radio agreement Family interface.
It further includes the link key generator for generating link key 114 that first bluetooth, which enables device,.Link key is given birth to It may include hardware, software, or its combination to grow up to be a useful person, and can be in one or more general processors, microprocessor, special Integrated circuit (ASIC), programmable logic device (PLD), field programmable gate array (FPGA) are designed as executing generation chain Implement in other electronic units of the function of road key, the link key can be generated using known encryption method, it is described Known encryption method uses E2 the or E3 key systematic functions used in two inputs numbers, such as Bluetooth specification.
Link key generator is configured to receive the part chain stored in the first privacy key 112 and device from user Road key 111.In addition, link key generator be configured to receive from monitoring party device 130 by communication link 136 it is second secret Key 132 (the second privacy key will also be referred to as monitoring key).Communication link can be wired or wireless link.Wireless Can be near field or the short-range communication link of such as Bluetooth link in the case of link.Communication link can be logical safely Believe link.It includes the communication mould for being communicated with monitoring party device 130 by communication link 136 that first bluetooth, which enables device, Block.
Link key generator 114 is configured to based on first part's link key 111, the first privacy key stored 113 and second privacy key 132 generate the first link key 118, or if the second privacy key is unavailable (such as in profit Other than communication range with monitoring party device) then based on the first part's link key 111 stored and the first privacy key 113 To generate the second link key 119.Realize that the bluetooth communication 117 of the revision of Bluetooth specification uses generated link Key come establish with second enable device 120 safe bluetooth connection.First bluetooth enables device and can be configured only to temporarily The first privacy key of ground pair and/or the second privacy key carry out storage prolonged enough to allow the generation of link key.Such as Fruit the first privacy key 113 or the second privacy key 132 are all not provided to the first bluetooth and enable device, then can not generate chain Road key, and the secure communications links that device is enabled with the second bluetooth can not be established.
In the above-described embodiment, first device and second device are all that bluetooth enables device.It is to be appreciated, however, that Described method is not limited to bluetooth and enables device/equipment, but is readily applicable in known (or shared) link key On the basis of execute secure communications links foundation other communication system/agreements, one in link key is to be based on device What the part of links key of middle storage generated, and another is stored in second device.In some embodiments, these Other communication protocols or short-range communication protocols (that is, being less than less than 100m and in one embodiment 10m), because its Then it requires to be maintained at close between first device and second device.Device can by link key and specific device Location (such as bluetooth device address) is associated, or the MAC controller (MAC) with the wireless communication module for device Address is associated.That is, link key can be directed to specific device.
Monitoring party device 130 includes memory for storing the second privacy key 132 and for by the second privacy key 132 are sent to the communication module 134 that the first bluetooth enables device.Since the second privacy key effectively controls the user of first device By the access level to second device of acquisition, the second privacy key is effectively monitoring key.Communication module 134 may be implemented Wired and or wireless communications agreement, such as use antenna 135.Wireless communication protocol can be near field (being less than 1m) or short distance Communication protocol (that is, less than 100m or being less than 10m).Second privacy key 132 can be stored in memory or it can be with It is provided using user interface 137 by user's (for example, monitoring party).
Monitoring party device can be the mancarried device under monitoring party control.Monitoring party can be monitored the first dress or be authorized It sets and is distributed to user (for example, security personnel or police), and one handled as release processing and configuration with second device First device can be supplied to by the second privacy key by dividing.In this way, the feelings only formally issued in first device and second device Under condition, then functional access of the user by acquisition to second device, thus the misuse or the use without authorizing of anti-locking apparatus. When monitoring party logs on to monitoring party device, the second privacy key can be stored, or monitoring party can be required to key in the second secret Key is sent to first device, in this case, is only temporarily stored in memory.
In another embodiment, monitoring party device is mounted or is located in fixed position.This can be used to base In the access control of proximity.For example, monitoring party device can store the second privacy key 132 in memory, and make Privacy key is wirelessly sent to whole dresses in the first communication range near field or short-range communication protocols (for example, bluetooth) Set/equipment or institute's screening device.In this embodiment, first device can be configured to control in supervision in first device 110 While in 130 communication range, that is established by using the first link key 118 generated using the second privacy key is logical Link 102 is believed only to keep the communication with second device 120.That is, only when first device is maintained at monitoring party device The access of first level is just authorized when in the first communication range.Once first device is not in the first communication range of monitoring party device Interior, device is configured as releasing the communication link 102 established with the first link key 118, then uses and is awarded to limited accass The second link key 119 for giving re-establishes communication link.
Fig. 2 shows the flow charts according to the method 200 for the access in safely control device of embodiment.It should Method includes the following steps:
Storing step 202, the storing step 202 is by part of links key storage in first device;
Receiving step 204, the receiving step 204 receive the first privacy key by first device from the first source;
Generation step 206, the generation step 206 generate close for establishing the link being connect with the safe wireless of second device Key, wherein if first device receives the second privacy key from the second source, link key, which has, utilizes stored part chain Road key, the first privacy key and the second privacy key and the first link key value generated, or if not from the second source The second privacy key is received, then link key has and utilizes stored part of links key and the first privacy key and generate Second link key value;
The link generated is stored in first device by storing step 208, the storing step 208;
Establishment step 210, the establishment step 210 are established using link key between the first device and second device Safe wireless connects;
Step 212 is authorized, if link key has the first link key value, is authorized from second device to first device Access to the first level of second device, and if link key has the second link key value, authorize second level Access, the access of second level has the few access of access than first level.
In one embodiment, the first source is the user of first device and the user of second device, and the second source is Monitoring party device.It can be by user monitoring party control device, and from monitoring party receive the second privacy key (or prison Pipe key), and it can be portable.That is, the first privacy key can be input to by the user of first device In first device, and the second privacy key is not input to by user in first device.
Alternatively, monitoring party device may be at fixed position, and if first device is in the of monitoring party device In one communication range, then the monitoring party device can be come wirelessly using near field or short-range wireless communication protocol by the second secret Key is sent to first device from monitoring party device.In addition, only when first device is maintained at the first communication model of monitoring party device The access of first level is just authorized when enclosing interior.It, will when first device is no longer in the first communication range of monitoring party device It is connected and is released using the safe wireless between first device and second device of the first link key, and use the second link Key connects to establish new safe wireless.The second privacy key can be sent by secure wireless link.
In an embodiment or application, can under safety or public security environment using system described herein and Method has such as mobile communications device (for example, radio or mobile phone) under the safety or public security environment to user's publication Equipment and such as weapon (for example, pistol, stun-gun, baton) controlled device and holster.Method and system can be by For ensureing the making full use of when it is issued by monitoring party only to free-moving around operating area of controlled device User is available.Similarly, it by using fixed monitoring party device, can provide close to control so that only being fixed when user is in It can provide and make full use of when in the first communication range of formula monitoring party device.
For example, in one embodiment, first device is to be distributed to the mobile phone of user, and second device is hair Weapon of the cloth to user.In this embodiment, the ability fired weapon come access control based on link key.Namely It says, unless two devices are all distributed to user (for example, security personnel) by monitoring party, otherwise weapon is restricted/prevents, the prison Guan Fang also provides the second privacy key to first device (mobile phone) when being issued so that can use the first link Key (abundant access link key) establishes secure communications links.If user is not authorized by monitoring party (that is, secret not by second Key is provided to first device), then user will be unable to percussion weapon.In this case, such as security personnel is being assigned to come The control based on proximity can also be used in the case of defendance specific buildings.In this case, monitoring party device can be with Coexist between floors/place so that only when security personnel keep with building close to when be just awarded using weapon.If Security personnel removes the first communication range, then the functionality of weapon is rejected.
In another embodiment, second device can be secure communication device (for example, police radio).This is logical safely T unit can be for good and all distributed to police.When changing shifts beginning, the second privacy key can be supplied to publication by monitoring party To the first device of police, which can be mobile phone, GPS unit, weapon or ID labels, and can be at two Safe bluetooth communications link is formed between device.In this case, police will be allowed fully to access and such as send and receive The police radio of the ability of transmission.However, at the end of changing shifts, or when next, limited visit can be provided for police It asks, such as prevents from sending (that is, being only capable of listening to), or be only permitted to carry out urgency traffic.It is obtained other people (that is, not being police) In the case of obtaining police radio and first communication device, other people can not will use police radio (i.e., it is possible to anti-at all for this Only it sends or receives), this is because other people will be unaware that the first privacy key that radio is distributed to police this, and because This will be unable to establish any secure communications links with police radio (second device).
In another embodiment, monitoring party device is remote server.The remote server storage is one or more Second privacy key (we are referred to as administrative key in following embodiment for it), one or more second is secret Key is via private or public telecommunication network (for example, via GPRS, 3G, LTE or via the data of SMS) or long haul communication Link is sent to first device.In one embodiment, administrative key is sent by safety chain.The remote server It can be the Central Management Server of centrally stored multiple privacy keys for multiple devices.That is, remote server Many devices and many users can be supervised.It is then possible to based on the additional information of changing shifts register etc. come decide whether by Privacy key is sent to specific device, to ensure that only (for example, when user is in changing shifts) provides higher level in the suitable time Access.
In one embodiment, after the first device that administrative key is sent to wireless communication link, monitoring party Device maintains and monitors communication link.First device can be constructed such that if dropped communication link, release using root The secure connection established according to the link key that administrative key generates, or access level is cancelled.In another embodiment, It is required that first device is periodically reported for work using monitoring party device, and if not establishing connection, it is close according to supervising to release use Link key that key generates and the secure connection established, or access level is cancelled.
In another embodiment, second server key can be associated with specific geographical area, and system is by structure Cause so that only when first device be in specific geographical area (approval region) it is interior when chain of the maintenance based on second server key Road.
Monitoring party device may include location verification module 302, which is configured to the first dress of monitoring The position set.If detecting that first device leaves the associated approval region of use with administrative key, to first device It sends the order for the revocation for leading to present access level.This can by release using using supervise generation the first link come The first device of the safe wireless connection of foundation is realized and (can establish new connection immediately using different link keys).Separately Selection of land, second device can be informed that present access level will be revoked.First can be determined based on location-based service module 304 The position of device, the location-based service module 304 estimate the position in private or public mobile network of first device (for example, small Area ID or using independently of first device other information) or first device may include to monitoring party device provide position The position estimator module 306 of estimation.It is noted that in this context, term place and position are considered equivalent (that is, ground Point estimation is equal to location estimation).Position estimation module 306 can be global positioning system (GPS) receiver or be used for base In the wireless whole world or other receivers of area positioning system (for example, GPS, GLONASS, QZSS, IRNSS etc.), this is based on The wireless whole world or area positioning system include satellite-based system and satellite-based enhancing system (for example, WASS, EGNOS etc.) or using with known location transmitter similar system.
Fig. 3 be according to the schematic diagram of the geographic area of embodiment, wherein the geographical location based on first device be this One device provides the access to the different stage of second device.Monitoring party device 130 includes database 138, which deposits One group of second secret (that is, supervision) key is stored up, each in one group of second privacy key is associated using geographical Region.In this embodiment, database 138 by four administrative keys S1, S2, S3 and S4 and associated region A1, A2, A3, A4 is stored together, the region that qualified association administrative key can be used by first device 110.These regions will be referred to as criticizing Quasi- region.As described above, administrative key is sent to first device, which uses administrative key and the first privacy key To generate for establishing the link key for connecting 102 with the safe wireless of second device 120.In this case, second device One group of four link key that storage can be generated from S1, S2, S3 and S4, coming together to control to work as together with associated access level makes Which kind of function/resource can be accessed in second device with first device when associated link key.Administrative key and approval area The association in domain or link key and access level be associated with can via in database table shared index, via lists of links Or other data structures or pointer.
The data in (and maintenance) such as mobile telephone network are established between monitoring party device 130 and first device 110 The wireless communication link 136 of link.Monitoring party device receives the location estimation of first device.These location estimations can be by such as Position estimator as GPS receiver that is that first device 110 includes or operationally being connect with first device 110 306 come provide or monitoring party device can from another entity receive location estimation.For example, if first device is mobile electricity Words, then monitoring party device can be from the request location estimation of the location-based service module 304 in mobile telephone network, the location-based service mould Block 304 comes the position of estimating mobile telephone using network data.Location estimation can be and cell residing for first device or small The associated region in area sector or location-based service module can attempt based on first device and network infrastructure (for example, its Base station can see mobile terminal) between communication come triangle geometry calculate first device position.Referring back to Fig. 3, first Device provides the first position estimation in the A1 of region.Therefore, monitoring party device provides administrative key S1 to first device, The first device generates the first link key using administrative key S1, which is used to build up and the second dress 120 secure wireless communication link 102 is set, and the first device obtains the access to the first level of second device.Then, The user of first device and the user of second device advance to move ahead along path 310, and the sending area A1 at point 311. Since device 110 is no longer in approval region A1, administrative key S1 is no longer valid, it is therefore desirable to will be authorized and be filled to second Access level (or permission) revocation set.
It can be used to monitoring position there are number of mechanisms and initiate the revocation of present access level.In an embodiment In, monitoring party device is just monitoring the position of first device.It can be continuous or periodically, such as by when defined Between interval obtain location estimation or sequential positions estimation between gap it is long unlike intervals.It can be by wireless Link 136 directly obtains location estimation from first device (for example, GPS receiver in use device), or can pass through Location-based service in mobile network provides location estimation.Suitable time interval can be every 10 seconds, 30 seconds, 1 minute, 5 points Clock is 10 minutes every.Monitoring party device can check each received location estimation, come determine first device whether Ratify in the A1 of region.Once it is determined that first device is no longer in approval region, monitoring party device can be sent out to first device It loses one's life order, with the safety with second device for releasing with being established using first administrative key S1 associated with approval region A1 Connection.In another embodiment, region A1 will be ratified together with association administrative key S1 and be sent to first device, and the One device is configured to whether check device is located in approval region.When first device determines that it is no longer in approval region A1 When, first device is configured to release and be connect with the safe wireless of second device.In another embodiment, first device can be with There is provided location estimation and approval region A1 to second device, which monitors the position of first device and be configured to It just releases when determining that first device is no longer in approval region A1 and is connect with the safe wireless of first device.
When first device leaves approval region and releases the secure connection with second device, first device can use The different link keys of new position based on first device establish the new secure connection with second device.Such as in figure 3, Since first device 110 is moved across by passing point 313 boundary of A1, first device is no longer on approval region A1 to A4's In any one, and therefore monitoring party device will not send administrative key to device.In this case, first device will only make It is connect with the safe wireless of second device with the first privacy key to establish, therefore only receives low access level.However, due to One device advances along path 310, will be moved at point 312 in approval region A2.Once it is in the A2 of region, supervision Square device just will send administrative key S2 by Radio Link 136, and first device can release the elder generation with second device Preceding secure connection, and new secure connection is established using the link key generated according to administrative key S2, and therefore by second Device authorizes access level associated with approval region A2.Since first device passes through along path 310, the device is in point Enter approval region A3 at 313.Ratify region A3 when being all contained in A2 with associated with approval region A2 Access different access levels.Therefore with first device point 313 at enter A3, will by first device, second device or Monitoring party device determines that first device is in approval region A3, and administrative key S3 is sent to the by monitoring party device 130 One device.Secure connection 102 between first device and second device can be released from and using new link key come weight It is new to establish, access level associated with region A3 is may then based on to authorize the access to second device to first device. It is then departed from approval region A3 once certain first device is moved along path 310 and reenters approval region A2, theft-resistant link chain Road 102 is just released from and re-establishes, and access level returns to access level associated with region A2.
Release and re-establish safety chain 102, then change for first device access level the process with First device moves along path 310 and is continued.For example, as first device removes approval region A2, access level at point 315 It is based only upon the access that the first privacy key is returned to base-level.However, as first device enters region at point 316 Administrative key S4 is sent to first device by A4, monitoring party device so that first device can obtain associated with region A4 Access level.Finally, as first device leaves region A4 at point 317, access level is based only upon the return of the first privacy key To the access of base-level.
In one embodiment, it is not to make first device and second device when crossing the boundary in approval region with it It releases secure communications links 102 and re-establishes new secure communications links, first device can maintain existing secure communication Link 102 provides new link key by secure communications links simultaneously.When to determine that it is no longer on close for current ink for device When the approval region of key, either when device receives the order of de-links from monitoring party device or the new administrative key of reception (can Selection of land is used for the approval region using the key) when, first device can be configured to based on the first privacy key and supervision Key (if being provided by monitoring party device) (that is, if first device is going into or is remained in approval region) generates New link key.New link key can be sent by secure connection 102, and second device can compare and first device Its database of associated link key checks the new link key.If the new link key is known, currently Access level can be changed into new access level associated with the new link key.The embodiment is by being maintained at the first dress It is associated with releasing and re-establishing new secure communications links to reduce to set the raw security communication link between second device Delay, only send the newer configuration information (that is, new link key) of institute on the contrary.In one embodiment, do not change safety The configuration of communication link, opposite new link key are used only for establishing new access level.In another embodiment, secure communication Link is reconfigured to utilize new link key.For example, any link relevant parameter is recalculated using new link key, Such as encrypted link relevant parameter, and at designated time or trigger point, in each device to these parameters into Row update so that link will use new parameter.It is this to reconfigure compared with releasing before and re-establishing secure communications links Method can also reduce delay.
From figure 3, it can be seen that approval region can have various geographic shapes.Although not shown in FIG. 3, batch Quasi- region can have irregular shape or boundary, and ratify region and can partly or entirely be embedded in other approval areas In domain (such as A3 is entirely included in A2).This allows the institute that monitoring party device can be in a particular area by user To provide precise controlling.In other embodiments, may exist a variety of monitoring party devices.For example, in an embodiment In, the supervision that Central Management Server can be used to be directed to first group of region (for example, A1, A2 and A4 in Fig. 3) is close Key, and provide for one of the key based on proximity of other regions (for example, the limited area A3 in the A2 of region) or More monitoring party devices.These additional monitoring party devices provide the administrative key based on proximity, and therefore can be used for Mobile phone receives poor place, or for physical proximity is preferred highly safe place.
Other modifications and embodiment are possible.For example, therefore monitoring party device may be used as storage is directed to multiple dresses The Central Management Server for multiple second privacy keys set, and each in the second privacy key can have be stored with The associated region of privacy key.Alternatively, key can have time limit or expiration time, should after the time limit or expiration time The unusable either safety chain 102 of key is possible to be needed to be released from or can require first device to contact monitoring party dress It sets, which can issue approval or new expiration time, to allow to be continuing with link.It can be deposited in second device Equivalent information is stored up to support these to control (for example, time cycle, using area etc.).In one embodiment, when building first Monitoring party device can send one group of link key (for example, S1 to S4) and one group of association area when vertical secure communications links 102 Domain (for example, A1 to A4), and first device can be configured to based on location estimation come regenerate link key and by its Second device is provided, to allow the control to access level.
Methods, devices and systems described herein are advantageously provided between two (and in a reality Apply in mode between bluetooth enables device, establish secure connection, and based on for establish the link key of secure connection come Control the security access system and method for the access to second device.Access can be provided by using multiple link keys It finely controls, each in multiple link keys provides the access of different stage.In addition, each link key can be limited Access areas or link key to be used using limited geographic area, such as around monitoring party device can with batch Quasi- region and to use the location estimation of which link key associated for determination, it is thus determined that first device will be awarded The access of which kind of rank.
It will be understood by those skilled in the art that redisplaying information and signal can be come using any one of various technologies.Example Such as, reference data, instruction, order, information, signal, bit, symbol and chip can be come through above description, representative has electricity Pressure, electric current, electromagnetic wave, magnetic field or particle, light field or particle or any combination thereof.
It will be further understood by those skilled in the art that the various illustrations described in conjunction with embodiment disclosed herein Logical block, module, circuit and the algorithm steps of property can be realized as electronic hardware, computer software or the combination of both sides. For clearly this of exemplary hardware and software interchangeability, above usually just functional aspect to various illustrative groups Part, block, module, circuit and step are described.The functionality is to depend on being applied to realize as hardware or software Specific application in whole system and design limitation.Technical staff can come real according to the different modes for each specific application Existing described function, but this implementation decision is not to be construed as causing a departure the scope of the present invention.
The step of method or algorithm for being described in conjunction with embodiment disclosed herein can be embodied directly in hardware, In the software module executed by processor or in the combination of hardware and software.For hardware realization, processing can be one A or more application-specific integrated circuit (ASIC), digital signal processing device (DSPD), can compile digital signal processor (DSP) Journey logical device (PLD), processor, controller, microcontroller, microprocessor, is designed as field programmable gate array (FPGA) Execute other electronic units of function described herein or a combination thereof realize.Software module is also known as computer program, meter Calculation machine code or instruction can include multiple source codes or object code segmentation or instruction, and can reside in such as RAM Memory, flash memory, ROM memory, eprom memory, register, hard disk, moveable magnetic disc, as CD-ROM, DVD-ROM The computer-readable medium of any computer-readable medium or any other form.Alternatively, computer-readable medium can be with It is integral to the processor.Processor and computer-readable medium can reside in ASIC or relevant apparatus.Software code can be deposited It stores up in the memory unit and is executed by a processor.Storage unit can be realized in processor or outside processor, this In the case of, storage unit can be coupled by way of it can communicate with processor via various modes known in the art.
It through the specification and following claims, requires otherwise unless the context, word " comprising " and "comprising" And it includes regulation integer or integer group that the modification of such as " comprising " and "comprising", which will be understood as implying, but be not excluded for other whole Number or integer group.
It is not to the reference of any prior art in this specification, and should not be taken as the prior art and form public affairs Know the confirmation of any type of suggestion of a part for common sense.
It will be understood by those skilled in the art that the present invention is not limited to its uses to described specific application.The present invention It is not limited to its preferred embodiment relative to particular element described herein and/or feature.It will be appreciated that the present invention is unlimited In disclosed one or more embodiments, but without departing substantially from being stated and be defined by the following claims It can carry out various rearranging, change and replacing in the case of the scope of the present invention.

Claims (51)

1. a kind of method for the access in safely control device, this approach includes the following steps:
The storage section link key in first device;
By the first device the first privacy key is received from the first source;
It generates for establishing the link key being connect with the safe wireless of second device, wherein if the first device is from the Two sources receive the second privacy key, then the link key, which has, utilizes stored part of links key, first secret close Key and second privacy key and the first link key value generated, or it is secret close if not receiving second from the second source Key, then the link key is with the second chain for utilizing stored part of links key and first privacy key and generating Road key value;
The link generated is stored in the first device;
Safe wireless connection is established between the first device and the second device using the link key;
If the link key has the first link key value, authorized from the second device to the first device Access to the first level of the second device, and if the link key has the second link key value, The access of second level is authorized, the access of the second level has the access fewer than the access of the first level.
2. according to the method described in claim 1, wherein, first source is the use of the first device and the second device Family, and second source is monitoring party device.
3. according to the method described in claim 2, wherein, the monitoring party device is the control by the monitoring party of the user Device, and receive second privacy key from the monitoring party.
4. the method according to Claims 2 or 3, wherein the monitoring party device is mancarried device.
5. the method according to Claims 2 or 3, wherein the monitoring party device is in a fixed position.
6. if according to the method described in claim 5, the method, which further includes the first device, is in monitoring party dress In the first communication range set, then using near field or short-range wireless communication protocol come by second privacy key from the prison Pipe side's device is transmitted wirelessly to the first device.
7. according to the method described in claim 6, wherein, only when the first device is maintained at described in the monitoring party device The access of the first level is just authorized when in the first communication range.
8. according to the method described in claim 7, wherein, when the first device is no longer on described in the monitoring party device When in the first communication range, the peace between the first device and the second device of the first link key will be used Full Wireless connection is removed, and new safe wireless connection is established using the second link key.
9. the method described according to claim 6 or 7, wherein it is secret close to send described second by secure wireless link Key.
10. according to the method described in claim 2, wherein, first privacy key is input to described first by the user In device, and second privacy key is not input to by the user in the first device.
11. according to the method described in claim 1, the method is further comprising the steps of:By in the first device and institute It states wireless communication link between the second source and the location estimation of the first device is sent to second source, and if The estimated position of the first device is in approval region, then second source sends second privacy key.
12. according to the method for claim 11, wherein the second device stores multiple link keys, and each chain Road key authorizes the access of the different stage to the second device, and second source stores multiple approval regions and multiple Second privacy key, and each in the multiple second privacy key is used to generate to the second device not The access of same level and associated at least one of the approval region, and in the position for receiving the first device After estimation, the second device determines the first device whether in the multiple one ratified in region, and If the first device is determined to be in the multiple approval one of region, second source is sent and described the One device is determined residing associated second privacy key in approval region.
13. method according to claim 11 or 12, wherein when the first device is no longer in approval region, The access of the first level of the second device is revoked.
14. according to the method for claim 13, wherein when the first device is no longer in approval region, use The safe wireless connection between the first device and the second device that first link key is established is removed.
15. according to the method for claim 13, wherein only when keeping nothing between the first device and second source The peace between the first device and the second device established using the first link key is just kept when line connects Full Wireless connects, and second source monitors the position of the first device, and be no longer on when the first device and When in the associated approval region of second privacy key for generating first link key, to described first Device is sent commands to remove using first link key foundation between the first device and the second device Safe wireless connection.
16. the method according to any one of claim 11 to 12, wherein second source is that storage is directed to multiple dresses The Central Management Server for multiple second privacy keys set.
17. method according to any one of claims 1 to 3, wherein the first device and the second device are Bluetooth enables device, and safe wireless connection is safe bluetooth connection.
18. a kind of device for safely controlling access, the device include:
Memory, the memory include first part's link key;
User's input module, user's input module are used to receive the first privacy key from user;
First communication module, the first communication module are used to receive the second privacy key from the second source;And
Link key generator, the link key generator are used for based on the first part's link key stored, described first Privacy key and second privacy key generate the first link key, or based on the first part's link key stored The second link key is generated with first privacy key;
Secure wireless communication module, the secure wireless communication module are used to use first link key or second link Key connect to establish with the safe wireless of second device, wherein in use, if first link key is used to build The wireless connection with the second device is found, then the visit of the first level to the second device is awarded in first device It asks, and if second link key is used to build up the wireless connection with the second device, described first The access of the second level to the second device is awarded in device, and the access of the second level has than the first level The few access of access.
19. device according to claim 18, wherein user's input module is keypad.
20. device according to claim 18, wherein the first communication module is by wired communications links to receive State the second privacy key.
21. according to the device described in claim 18, wherein second source is monitoring party device, and works as described device When in the first communication range in the monitoring party device, the first communication module passes through near field or short-distance wireless communication Link receives second privacy key from the monitoring party device.
22. device according to claim 18, wherein second source is monitoring party device, and works as described device not When again being in the first communication range of the monitoring party device, described device is configured as removing close using first link The secure wireless communication link that key is established.
23. the device according to claim 21 or 22, wherein the first communication module passes through secure wireless communication link To receive second privacy key.
24. device according to claim 18, wherein the first communication module be configured to mobile phone or Long-haul radio agreement is come the wireless communication module that is communicated with second source.
25. device according to claim 24, wherein described device further includes position estimator module, and wherein, institute Device is stated to be configured as filling described first by the wireless communication link between the first device and second source The location estimation set is sent to second source.
26. according to the device described in claim 25, wherein described device also receives batch with second privacy key Quasi- region, and described device is configured as when the location estimation of described device is no longer in the approval region, it will be sharp It is connected and is removed with the safe wireless between described device and the second device that first link key is established.
27. device according to claim 25, wherein only when being maintained at wireless between described device and second source The safe wireless between described device and the second device established using first link key is just kept when connection Connection, and described device is configured to respond to tear open by the order from second source for being wirelessly connected reception Except the safe wireless connects.
28. the device according to any one of claim 18 to 22, wherein the first communication module includes the safety Wireless communication module.
29. the device according to any one of claim 18 to 22, wherein the secure wireless communication module is that bluetooth opens With communication module, and safe wireless connection is safe bluetooth connection.
30. a kind of device for safely controlling access, the device include:
Memory, the memory include at least the first link key and the second link key;
Wireless communication module, the wireless communication module using first link key or second link key for being built It is vertical to be connect with the safe wireless of second device;
Access control module, which is used for will be to one or more functions of described device or the access of resource It is granted to the second device, wherein connected if establishing the safe wireless with the first link key value, the access control The access of first level is granted to the second device by molding block, and if establishes the safety with the second link key value It is wirelessly connected, then authorizes the access of second level, the access of the second level is with fewer than the access of the first level It accesses, wherein in use, based on the part of links key stored, the first privacy key received from the first source and from the The second privacy key that two sources receive generates first link key in the second device, and uses stored portion Point link key and first privacy key that is received from first source generate the second link key value.
31. device according to claim 30, wherein described device is weapon, and one or more function Or resource includes being fired to the weapon.
32. the device according to claim 30 or 31, wherein the wireless communication module is that bluetooth enables communication module, And the safe wireless connection is safe bluetooth connection.
33. a kind of monitoring party device, the monitoring party device include:
Memory, the memory is for storing privacy key;
Communication module, which is used to establish and the communication link of first device, and the privacy key is supplied to The first device is for generating link key, which is used to generate and the secure connection of second device, wherein making In, the first device uses stored part of links key, the first privacy key from the first source and by described The privacy key that monitoring party device provides generates the link key, and if the link key generated is used to build up Secure wireless communication link between the first device and the second device, then the first device be awarded to described The access of the first level of second device, and if the first device uses stored part of links key and described One privacy key generates the link key, then the visit of the second level to the second device is awarded in the first device It asks, the access of the second level has the access fewer than the access of the first level.
34. monitoring party device according to claim 33, the monitoring party device further include:
User's input module, user's input module are used to receive the privacy key from user.
35. monitoring party device according to claim 33, wherein described device is mancarried device.
36. monitoring party device according to claim 33, wherein described device is installed in fixed position.
37. monitoring party device according to claim 33, wherein the communication module will be described secret by wired connection Key is provided to the first device.
38. monitoring party device according to claim 33, wherein the communication module is assisted using near field or short haul connection View provides the privacy key to the first device.
39. monitoring party device according to claim 33, wherein the communication module is by safe wireless connection by institute Privacy key is stated to provide to the first device.
40. monitoring party device according to claim 33, wherein the memory storage is for using the privacy key Approval region, and the monitoring party device further includes location verification module, which is configured as receiving institute The location estimation of first device is stated, and is only in the feelings in the approval region in the location estimation of the first device Under condition, the privacy key is sent to the first device.
41. monitoring party device according to claim 40, wherein the location estimation is via the communication module from institute State the location estimation of first device reception.
42. monitoring party device according to claim 40, wherein the memory stores multiple approval regions and multiple the Two privacy keys, and each in the multiple second privacy key is related at least one of the approval region Connection, and the location verification module is configured such that after the location estimation for receiving the first device, the supervision Square device determines the first device whether in the multiple one ratified in region, and if the first device It is determined to be in one of the multiple approval region, then it is related to be determined residing approval region to the first device The privacy key of connection is sent to the first device.
43. monitoring party device according to claim 42, wherein the approval region is sent to by the monitoring party device The first device with the privacy key.
44. monitoring party device according to claim 42, wherein location verification module is configured as sending out by privacy key It is sent to the first device and monitors the position of the first device later, and be used for if detecting that the first device leaves Using the approval region of the privacy key, then sends commands to dismounting use to the first device and utilize the secret The first link that key generates connects come the safe wireless established.
45. the monitoring party device according to any one of claim 40 to 44, wherein the monitoring party device is storage For the Central Management Server of multiple privacy keys of multiple devices.
46. the monitoring party device according to any one of claim 33 to 44, wherein the privacy key is used to build up Safe bluetooth connection.
47. a kind of system for safely controlling access, the system include:
According to the first device of any one of claim 18 to 29;
According to the second device of claim 30,31 or 32;And
According to the monitoring party device of any one of claim 33 to 46.
48. a kind of first device for safely controlling access, the first device include:
Wireless communication module;
Memory, the memory include first part's link key;
User's input module, user's input module are used to receive the first privacy key from user;And
Processor, the processor are configured as the method described in any one of perform claim requirement 1 to 17.
49. a kind of second device for safely controlling access, the second device include:
Wireless communication module;
Memory, the memory include the first link key and the second link key;
Processor, the processor are configured as the method described in any one of perform claim requirement 1 to 17.
50. a kind of monitoring party device, the monitoring party device include:
Communication module;
Memory, the memory is for storing the second privacy key;
Processor, the processor are configured as the method described in any one of perform claim requirement 1 to 17.
51. a kind of computer-readable medium, which wants for perform claim when being executed by a processor Ask the instruction of the method described in any one of 1 to 17.
CN201480037018.7A 2013-10-16 2014-03-18 Method and system for controlling the access to wireless device Active CN105594154B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
SG2013076898A SG2013076898A (en) 2013-10-16 2013-10-16 Method and system for controlling access to wireless apparatuses
SG201307689-8 2013-10-16
PCT/SG2014/000134 WO2015057161A1 (en) 2013-10-16 2014-03-18 Method and system for controlling access to wireless apparatuses

Publications (2)

Publication Number Publication Date
CN105594154A CN105594154A (en) 2016-05-18
CN105594154B true CN105594154B (en) 2018-09-21

Family

ID=52828469

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201480037018.7A Active CN105594154B (en) 2013-10-16 2014-03-18 Method and system for controlling the access to wireless device

Country Status (9)

Country Link
US (1) US9479514B2 (en)
JP (1) JP2017502618A (en)
KR (1) KR101835863B1 (en)
CN (1) CN105594154B (en)
AU (1) AU2014337434B2 (en)
GB (1) GB2532146B (en)
HK (1) HK1224477A1 (en)
SG (1) SG2013076898A (en)
WO (1) WO2015057161A1 (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN205050141U (en) * 2014-09-30 2016-02-24 苹果公司 Electronic equipment
US9924010B2 (en) * 2015-06-05 2018-03-20 Apple Inc. Audio data routing between multiple wirelessly connected devices
CN104954389B (en) * 2015-07-15 2018-12-25 福州大学 The time-varying cryptographic key distribution method of ad hoc network
CN106557802B (en) 2015-09-30 2019-08-30 东芝存储器株式会社 Storage device and information processing system
JP6453808B2 (en) * 2015-09-30 2019-01-16 東芝メモリ株式会社 Storage device
WO2018004303A1 (en) * 2016-07-01 2018-01-04 엘지전자(주) Authentication method and system for device using bluetooth technology
US9857133B1 (en) * 2016-08-11 2018-01-02 Biofire Technologies Inc. System and method for authenticating an identity for a biometrically-enabled gun
FR3079984B1 (en) 2018-04-09 2021-03-05 Tekcem PROCESS FOR AUTOMATICALLY ADJUSTING A TUNING UNIT, AND RADIO TRANSCEIVER USING THIS PROCESS
FR3117661B1 (en) 2020-12-14 2022-11-04 Excem Method for automatically adjusting an ion cyclotron resonance heating system of a thermonuclear reactor
FR3118562B1 (en) 2021-08-12 2022-12-02 Excem Method for automatic adjustment of an ion cyclotron resonance heating system of a thermonuclear reactor
CN114025347B (en) * 2021-11-03 2023-12-01 苏州欧清电子有限公司 Encryption method, device and equipment of Bluetooth equipment and storage medium
US11647392B1 (en) 2021-12-16 2023-05-09 Bank Of America Corporation Systems and methods for context-aware mobile application session protection

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101093529A (en) * 2006-06-23 2007-12-26 捷讯研究有限公司 Pairing to a wireless peripheral device at the lock-screen
CN101860859A (en) * 2009-04-13 2010-10-13 新康电脑科技(苏州)有限公司 Short-distance safe and secure communication method for mobile subscribers based on Bluetooth technology
CN102147836A (en) * 2010-12-23 2011-08-10 北京格致璞科技有限公司 Multifunctional electronic equipment and management system and management method thereof
CN102315864A (en) * 2011-09-07 2012-01-11 百度在线网络技术(北京)有限公司 Method of point-to-point data transmission for mobile device and device
CN102938168A (en) * 2012-09-25 2013-02-20 昶翔科技股份有限公司 Bluetooth vehicle control system and method for managing vehicle by using bluetooth system

Family Cites Families (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH01122227A (en) * 1987-11-06 1989-05-15 Konica Corp Transmission equipment
US20020141586A1 (en) * 2001-03-29 2002-10-03 Aladdin Knowledge Systems Ltd. Authentication employing the bluetooth communication protocol
US20060064458A1 (en) * 2002-09-16 2006-03-23 Christian Gehrmann Secure access to a subscription module
US8428261B2 (en) * 2003-06-20 2013-04-23 Symbol Technologies, Inc. System and method for establishing authenticated wireless connection between mobile unit and host
EP2937805B1 (en) * 2003-09-30 2022-01-05 Nxp B.V. Proximity authentication system
JP2005260614A (en) * 2004-03-12 2005-09-22 Dainippon Printing Co Ltd Encryption device
KR100745999B1 (en) * 2004-12-17 2007-08-06 삼성전자주식회사 Bluetooth device and method for offering service determined by Bluetooth PIN
SG158780A1 (en) 2008-08-01 2010-02-26 Certis Cisco Security Pte Ltd Bluetooth pairing system, method, and apparatus
JP5369920B2 (en) * 2009-06-12 2013-12-18 富士通モバイルコミュニケーションズ株式会社 Wireless communication apparatus and wireless communication method
US9367678B2 (en) * 2012-02-29 2016-06-14 Red Hat, Inc. Password authentication
EP2847706B1 (en) * 2012-03-14 2016-05-18 Robert Bosch GmbH Device pairing with audio fingerprint encodings
US9083703B2 (en) * 2012-03-29 2015-07-14 Lockheed Martin Corporation Mobile enterprise smartcard authentication
WO2013191648A1 (en) * 2012-06-20 2013-12-27 Certis Cisco Security Pte Ltd Bluetooth pairing system, method, and apparatus
US20140068744A1 (en) * 2012-09-06 2014-03-06 Plantronics, Inc. Surrogate Secure Pairing of Devices
US8438631B1 (en) * 2013-01-24 2013-05-07 Sideband Networks, Inc. Security enclave device to extend a virtual secure processing environment to a client device
US9210733B2 (en) * 2013-03-14 2015-12-08 Google Technology Holdings LLC Method and apparatus to facilitate pairing between wireless devices
US9332007B2 (en) * 2013-08-28 2016-05-03 Dell Products L.P. Method for secure, entryless login using internet connected device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101093529A (en) * 2006-06-23 2007-12-26 捷讯研究有限公司 Pairing to a wireless peripheral device at the lock-screen
CN101860859A (en) * 2009-04-13 2010-10-13 新康电脑科技(苏州)有限公司 Short-distance safe and secure communication method for mobile subscribers based on Bluetooth technology
CN102147836A (en) * 2010-12-23 2011-08-10 北京格致璞科技有限公司 Multifunctional electronic equipment and management system and management method thereof
CN102315864A (en) * 2011-09-07 2012-01-11 百度在线网络技术(北京)有限公司 Method of point-to-point data transmission for mobile device and device
CN102938168A (en) * 2012-09-25 2013-02-20 昶翔科技股份有限公司 Bluetooth vehicle control system and method for managing vehicle by using bluetooth system

Also Published As

Publication number Publication date
AU2014337434B2 (en) 2018-11-01
HK1224477A1 (en) 2017-08-18
KR101835863B1 (en) 2018-04-19
WO2015057161A1 (en) 2015-04-23
GB2532146A (en) 2016-05-11
US20160156636A1 (en) 2016-06-02
GB201522601D0 (en) 2016-02-03
JP2017502618A (en) 2017-01-19
CN105594154A (en) 2016-05-18
SG2013076898A (en) 2015-05-28
GB2532146B (en) 2020-09-16
AU2014337434A1 (en) 2016-01-28
US9479514B2 (en) 2016-10-25
KR20160043525A (en) 2016-04-21

Similar Documents

Publication Publication Date Title
CN105594154B (en) Method and system for controlling the access to wireless device
JP6970080B2 (en) How to control access to an in-vehicle wireless network
US10963870B2 (en) Method and system for network communication
CN106060760B (en) Method and apparatus for managing beacon apparatus
JP5899380B2 (en) Bluetooth pairing system, method and apparatus
US20110119745A1 (en) Network authentication
CN105346502A (en) Keyless entry method and system of vehicle
CN203278811U (en) Mobile terminal using NFC to transfer WIFI hotspot secret key or certificate
CN107205208B (en) Authentication method, terminal and server
CN104270758A (en) Method for safely establishing connection with server and conducting authorization through WIFI
CN109561429B (en) Authentication method and device
CN105282868A (en) System and Method for Temporarily Joining a WiFi Network
CN105050086A (en) Method for terminal to log in Wifi hotspot
US11354958B2 (en) Wireless device enabled locking system having different modalities
KR101617707B1 (en) Electronic key system with function for transffering control right for electronic lock system
WO2018113402A1 (en) Method and device for joining access node group
CN101635922B (en) Safety communication method of wireless mesh network
KR102121658B1 (en) Block chain system in d2d communication environments and constructing method thereof
CN107786978B (en) NFC authentication system based on quantum encryption
CN109150915A (en) A kind of method trusted each other between mist calculate node
CN110831000B (en) Secure access method, device and system
KR20120084630A (en) Authentication system and method based by positioning information
CN100559906C (en) Be used for the method for registration mobile terminal device on the access point of local communication network and access point and the terminal equipment that is used to carry out this method
CN104782154B (en) A kind of method and apparatus for disabling algorithm in a device
JP2016512621A (en) How to control contactless transactions

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant